b"          Smithsonian Institution\n           Office of the Inspector General\n\n                                          Smithsonian Institution Research Information System\n           In Brief                       Report Number A-09-02, June 12, 2009\n\n\n\n\nWhy We Did This Audit                What We Found\n\nUnder the Federal Information        SIRIS is an Institution-wide system for both public and scholarly research.\nSecurity Management Act of 2002      It applies established national standards to manage, describe, and provide\n(FISMA), the Office of the           access to information resources held primarily by the Institution's libraries,\nInspector General conducts an        archives, and research units in support of the Institution's mission.\nannual independent assessment of\nthe Institution\xe2\x80\x99s information\n                                     Overall, we determined operational, management, and technical controls\nsecurity system. As part of that\n                                     for the SIRIS application were substantially in place and operating\nassessment, FISMA requires a\nreview of a subset of information    effectively. While management has complied with the majority of\nsystems. This report covers one      Institution, OMB, and NIST requirements, we did identify three areas\nsuch system, the Smithsonian         where management needs to implement improvements. Specifically, we\nInstitution Research Information     found that:\nSystem (SIRIS), and evaluates\nmanagement, operational, and         \xc2\x83     Librarians entered social security numbers into SIRIS, against\ntechnical security controls.               established policy and without management\xe2\x80\x99s knowledge, increasing\n                                           the risk that this information may be inappropriately accessed and used\nWhat We Recommended                        by unauthorized personnel.\nWe made 3 recommendations to\nstrengthen controls over the SIRIS   \xe2\x80\xa2     Management has not developed or implemented a security\napplication by ensuring that               configuration baseline for the SIRIS database. Instead, management\nlibrarians do not enter sensitive          uses the default configuration settings, which may not adequately\npersonally identifiable                    protect the system.\ninformation such as social\nsecurity numbers into the SIRIS      \xe2\x80\xa2     Finally, the SIRIS security plan does not accurately describe all controls\napplication; that management               in place. Without adequate or accurate descriptions of controls,\nidentifies, documents, and                 management may be unaware of security risks to the system.\nimplements a baseline for the\nSIRIS database; and that\nmanagement reviews and updates\nthe system security plan to\ninclude accurate descriptions of\nthe controls in place or planned.\n\nManagement concurred with our\nfindings and recommendations\nand has planned actions that will\nresolve all our recommendations.         For additional information, contact the Office of the Inspector General at\n                                         (202) 633-7050 or visit http://www.si.edu/oig.\n\x0c"